Database breach raises concerns over Web security

In August a computer hacker broke into a North Carolina Community College System server and potentially gained access to the personal information of 51,000 library users across the state.

The cyber break-in was deemed harmless by investigators in the wake of the event, but it left behind glaring questions about the security of personal information on the Internet.

According to N.C. Community College officials, the perpetrator accessed the library patron information in August via a computer server housed in the community college system office in Raleigh by decoding a user password.

An initial investigation revealed that 8,300 driver’s license numbers, originally collected by 18 colleges to help identify library users, were stored on the server. However, an ongoing review of the incident revealed that an additional Social Security numbers of 42,500 library patrons were also stored on the breached server, including the information of patrons from Haywood Community College and Southwestern Community College.

Ryan Schwiebert, IT director at SCC, explained how the breach affected the college.

“As a college we stopped using social security numbers quite some time ago,” Schweibert said. “The social security numbers that were jeopardized in the breach were left in the library’s system from two years ago.”

Schwiebert said the state’s community college library server is an “open facing” system, which means it can be accessed via the Internet. He said best policy dictates that private information be maintained only on servers that don’t allow that level of access. For instance, the SCC’s student information database is secured on a server protected by layers of firewalls.

“That type of server would be very difficult for a hacker to access without being caught,” Schwiebert said. “Even for one of our own people.”

In the wake of the security breach, N.C. Community College officials notified 51,000 library users from 25 community colleges that a security breach had occurred on a computer server containing their personal information. While reviews and investigations after the event indicated that the hacker had not accessed any personal information, state and federal privacy laws dictated that the college system inform all of the users who had potentially been affected by the breach.

Forty-six community colleges that participate in the Community College Libraries in North Carolina consortium maintain information on more than 270,000 library users on this server. The security breach was discovered Monday, Aug. 24, during a routine security review and was reported to the state’s Information Technology Service at that time. Students potentially affected weren’t notified for another four months.